Account access management
As people join, depart, and move through your organization, you need to change their data access. With Data Governance Edition, you can validate that users and groups have been granted access to all the resources they need, ensure that they do not have access to excess resources, and manage their access when problems arise.
The following commands are available to you to manage account access. For full parameter details and examples, click a command hyperlink in the table or see the command help, using the Get-Help command.
Table 183: Account access management commands
|
Get-QAccountAccess |
View where users and groups have access on a managed host.
For more information, see Get-QAccountAccess.
NOTE: This PowerShell cmdlet does not support Cloud managed hosts. |
|
Get-QAccountAccessOnHosts |
View the resource access for a given account (Domain\SAMAccountName) across all available hosts.
For more information, see Get-QAccountAccessOnHosts.
NOTE: This PowerShell cmdlet does not support Cloud managed hosts. |
|
Get-QAccountActivity |
View the activity associated with a user on a managed host.
For more information, see Get-QAccountActivity.
NOTE: This PowerShell cmdlet does not support Cloud managed hosts. |
|
Get-QAccountAliases |
View the group membership for a specified account. For example, if one of these groups (aliases) has access to a resource, the original account also has this access.
For more information, see Get-QAccountAliases. |
|
Get-QAccountsForHost |
View all account access for a specific managed host.
For more information, see Get-QAccountsForHost. |
|
Get-QADAccount |
View the Active Directory objects from the One Identity Manager and QAM (Data Governance Edition) tables: ADSAccount, ADSGroup, ADSOtherSID, QAMLocalUser and QAMLocalGroup.
For more information, see Get-QADAccount. |
|
Get-QGroupMembers |
View all the members of a group, including members of child groups. Because user and group access may be the result of several layers of nested groups, this helps you to assess how a specific account has gained access to a resource.
For more information, see Get-QGroupMembers. |
|
Get-QIndexedTrustees |
View all of the entries from the QAMTrustee table who are also listed within the QAMSecurityIndex table, denoting an indexed trustee.
For more information, see Get-QIndexedTrustees. |
Get-QAccountAccess
Returns where users and groups have access on a managed host.
Syntax:
Get-QAcccountAccess [-ManagedHostId] <String> [-TargetType] <QAM.Client.PowerShell.TargetType> [-TargetId] <String> [-ResType] <QAM.Client.PowerShell.QueryResourceType> [[-AccountOrigin] [<String>] [[-Direct] [<SwitchParameter>]] [[-Exclusions] [<String[]>]] [[-DataUnderGovernance] [<SwitchParameter>]] [<CommonParameters>]
Table 184: Parameters
| ManagedHostId |
Specify the ID (GUID format) of the managed host whose access you are interested in.
Run the Get-QManagedHosts command to retrieve a list of managed hosts and their IDs. |
| TargetType |
Specify one of the following types for the target object:
|
| TargetId |
Specify the ObjectSid for the account or employee. |
| ResType |
Specify the type of resource to be queried. Valid values are:
- CloudFiles
- CloudFolders
- Files
- Folders
- Shares
- LocalOSRights
- AdminRights
- ServiceIdentities
- SharePointResources
- SharePointFarmAdminRights
- SharePointWebAppPolicies
- SharePointSiteCollectionAdminRights
|
| AccountOrigin |
(Optional) Specify the origin of the trustee SID specified in the query. Enter the DNS name of the reference domain or computer for the SID.
If this parameter is not specified, the server will attempt to infer it. |
| Direct |
(Optional) Specify this parameter if you want the query to retrieve only direct access points.
If this parameter is not specified, group membership expansion should be taken into account. |
| Exclusions |
(Optional) Specify a list of trustees that are not to be considered for account access via group membership. This means that if the account being considered is a member of one of the excluded trustees, that access will be ignored.
The list must be an array of strings in the following format: [domain DNS name:]SID. The domain DNS name portion can be excluded, in which case Data Governance Edition will infer what it can. For built-in accounts, a missing DNS name means that all of the instances of the provided SID must be excluded. |
| DataUnderGovernance |
(Optional) Specify this parameter if you want to include only governed resources in your query.
If this parameter is not specified, the query will include all resources. |
Examples:
Table 185: Examples
|
Get-QAccountAccess -ManagedHostId 72eed1b9-bf06-4bb9-9ac4-1886daafc514 -TargetId 6a894591-f707-41e5-a187-6b379d07c043 -ResType Folders -AccountOrigin xdomain.local -TargetType Employee -Direct $true |
Looks at a managed host with id 72eed1b9-bf06-4bb9-9ac4-1886daafc514. The account or trustee in question has a SID of 6a894591-f707-41e5-a187-6b379d07c043, its type is Employee and the resource type is folders. |
Details retrieved:
Table 186: Details retrieved
| RightType |
The access right type. |
| ItemResourceType |
The resource type. |
| ResourceURI |
The URI of the resource to which the trustee has access. |
| TrusteeDisplayName |
The display name of the trustee. |
| TrusteeSid |
The SID assigned to the account (trustee). |
| HostName |
The host where the resource resides. |
| Rights |
The specific access rights assigned. |
| AppliesTo |
What the rights apply to. |
| Inheritance |
The type of inheritance. |
Get-QAccountAccessOnHosts
For a given account (Domain\SAMAccountName), this cmdlet retrieves the account's resource access across all available hosts.
Note: This PowerShell cmdlet does not support Cloud managed hosts.
Syntax:
Get-QAccountAccessOnHosts [-AccountName] <String> [-AccountDomain] <String> [-ManagedHostList [<String>]] [-UriFilterPattern [<String>]] [-DirectOnly [<Switch Parameter>]] [-ResourceTypes [<String>]] [-OutputDirectory [<String>]] [-VerboseLogging [<Switch Parameter>]] [<CommonParameters>]
Table 187: Parameters
| AccountName |
Specify the name of the account to perform the access report on. |
| AccountDomain |
Specify the name of the domain to perform the access report on. |
| ManagedHostList |
(Optional) Specify the managed hosts to be included in the report.
If this parameter is not specified, all managed hosts are included. |
| UriFilterPattern |
(Optional) Specify a string to limit the report to only include resources whose URI contains the given text string. |
| DirectOnly |
(Optional) Specify this parameter to exclude indirect access to a resource from the results. |
| ResourceTypes |
(Optional) Specify the types of resources to be included in the report. Valid resource types are:
- Files
- Folders
- Shares
- LocalOSRights
- AdminRights
- SharePoint (includes all of other SharePoint resource types)
- SharePointResourceItems
- SharePointFarmAdminRights
- SharePointWebAppPolicies
- SharePointSiteCollectionAdminRights
If this parameter is not specified, all resource types are included. |
| OutputDirectory |
(Optional) Specify an absolute path to a directory where the results are to be saved. If the directory does not exist, it will be created.
If this parameter is not specified, the results are only written to the PowerShell output stream. |
| VerboseLogging |
(Optional) Specify this parameter to turn on verbose logging. |
Examples:
Table 188: Examples
|
Get-QAccountAccessOnHosts -AccountName Administrator -AccountDomain MyDomain -ResourceTypes @("SharePoint", "Folders") -OutputDirectory "C:\log.txt" -VerboseLogging |
Retrieves all SharePoint and folder access for account "Administrator" in domain "MyDomain". Verbose logging is enabled and the results will be saved in C:\log.txt. |
Details retrieved:
Table 189: Details retrieved
| RightType |
The access right type. |
| ItemResourceType |
The resource type. |
| ResourceURI |
The URI of the resource to which the trustee has access. |
| TrusteeDisplayName |
The display name of the trustee. |
| TrusteeSid |
The SID assigned to the account (trustee). |
| HostName |
The host where the resource resides. |
| Rights |
The specific access rights assigned. |
| AppliesTo |
What the rights apply to. |
| Inheritance |
The type of inheritance. |
Get-QAccountActivity
Retrieves the activity associated with a user on the specified managed host.
Note: This PowerShell cmdlet does not support Cloud managed hosts.
Syntax:
Get-QAccountActivity [-Trustees] <String[]> [-ManagedHostId] <String> [[-Extensions] [<String[]>]] [[-StartTime] [<DateTime>]] [[-EndTime] [<DateTime>]] [<CommonParameters>]
Table 190: Parameters
| Trustees |
The security identifier (SID) of the account whose activity you are interested in. |
| ManagedHostId |
The ID (GUID format) of the managed host you would like to see activity for.
Run the Get-QManagedHosts command to retrieve a list of managed hosts and their associated IDs. |
| Extensions |
(Optional) Specify the extensions of the file types to be excluded from the query. |
| StartTime |
(Optional) Specify the start date and time (UTC) if you only want to see activity for a time span.
Specify the start time in the following format: "23/01/2016 10:36.30 PM" |
| EndTime |
(Optional) Specify the end date and time (UTC) if you only want to see activity for a time span.
Specify the end time in the following format: "23/01/2016 10:37.30 PM" |
Examples:
Table 191: Examples
| Get-QAccountActivity S-1-5-21-3263556741-3296809600-1972185209-1104 3d7e4bb0-e9e2-4d98-b948-21ac7ba1eca6 |
Returns all the activity for the specified account on the managed host with Id 3d7e4bb0-e9e2-4d98-b948-21ac7ba1eca6. |
Details retrieved:
Table 192: Details retrieved
| NodeId |
The ID used to link the activity database to the QAMNode table. (AuditNodeId in QAMNode table.) |
| ManagedHostId |
The value (GUID format) assigned to the managed host where the resource is located. |
| ManagedHostName |
The name of the host where the resource is located. |
| ResourceId |
The ID assigned to the operation that was performed. |
| ParentResourceId |
Shows which resource in the activity database is the parent. |
| ResourcePath |
For file system resources, the path of the resource. |
| SharePointPath |
For SharePoint resources, the path of the resource. |
| TypeResource |
The type of resource. |
| Operation |
The type of operation performed against the resource. |
| StartTime |
The start date and time for collecting resource activity. Activity is stored in 'time spans'. |
| EndTime |
The end date and time for collecting resource activity. Activity is stored in 'time spans'. |
| TrusteeType |
The type of account. |
| TrusteeName |
The display name of the trustee that initiated the operation. |
| TrusteeSid |
The security identifier (SID) assigned to the account (trustee) that initiated the operation. |
| AuditTrusteeId |
The ID associated with the account that performed the operation. (UID_QAMTrustee in QAMTrustee table.) |
| AccessCount |
The number of times the operation occurred during the aggregation interval. |
